Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

VML vuln being actively exploited

Published: 2006-09-25
Last Updated: 2006-09-25 23:41:46 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)
Messagelabs has reported that E-cards are being used as an attack vector, exploiting the VML vulnerability in MS Internet Explorer to download malware. There has been an upswing of web sites hosting the exploit, and of course downloading malware.

A reader wrote in after having seen a VML exploit and reviewing his firewall logs. The following web site URLs are deliberately munged and obfuscated until the site owners respond to emails and phone calls advising them of the problem, do not click on them using any web browser on a Microsoft platform.
The first site is
http:// www .allied(snipped) parts .com
The bottom of tha page contains an iframe which loads:
http:// www .traffl(snipped) .info/out.php?s_id=1
Which goes and gets:
http://www .webmasters(snipped) .com/s_test/test/ vml_sp2_gamer .htm

Which contains the VML exploit. The fun doesn't stop there!
By now this system is thoroughly owned, and more malware follows.

vml_sp2_gamer.html pulls gamer.exe off the same site, which in turn grabs gamer1.exe and counter.exe and also reports successful infection to another URL, raff  gamer1.exe is a password stealer that is even seen by Clamav: Trojan.Spy.Goldun-141

Many thanks to Daniel and Swa and the other ISC handlers.

Adrien de Beaupré
Cinnabar Networks/BSSI

0 comment(s)
Diary Archives